Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Fragment size for FWSM

Hi ,

Just need to know anyone encountered the problem on the following error message :

Error Message %PIX-4-209003: Fragment database limit of number exceeded: src = IP_address,dest = IP_address, proto = protocol, id = number

The problem lies on the Japanese Windows Client PC or notebook from

one VLAN to another VLAN.

I have increased the fragement size to 1000 and the Japanese OS can able to login in.

Just need to know what is the recommended max limit should I have to set to fragment size as I cannot just increase when more Japanese Windows client is attached to the network.

By increasing the Fragment size, it may incurr Denial of Service as mentioned on the Syslog message on the PIX documentation

Any advice on this issue.



Re: Fragment size for FWSM

I don't think this is documented any where, but you can set the value of 1500 I guess.

Cisco Employee

Re: Fragment size for FWSM


Haven't tried this, but this might help.

Form the details of the "show fragment outside" or whatever the concerned interface is, the values of Queue:xxxx, Assemble:xxxx, Fail:x, Overflow:x will give an indication as to how heavy or light the fragment database is for any of the settings that are configured for the fragment. You will need to tweak it until these values do no show high values.

More info on the be url; choose 'fragment'

Especially watch out for this; Setting the database-limit of the size option to a large value can make the PIX Firewall more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the 1550 or 16384 pool.